Copy exploit and ethical release of information
|
Qubius Quinn
Q²
Join date: 5 Jun 2005
Posts: 8
|
08-18-2005 16:12
I'm reposting this from the Linden forum ( /invalid_link.html) because I'm getting no response form Linden and normal users cannot reply. What should I do? Linden is ignoring me. This is an exploitable bug... what do I do? --- Repost ---- Nearly 48 [edit: now 64+] hours ago I submitted a bug report that included what I think is a no-copy exploit. By exploiting this bug someone can copy no-copy items if the creator packaged and transferred their item in a certain manner. I think this has the potential to be a dangerous exploit depending on how many creators package their items in this manner (I have no idea how many have). I've received no response from Linden (other then the automated "consider the matter resolved" email). Without a response or a fix I take this to mean that they don't consider this a bug. Since I consider this type of thing dangerous I think content creators should be warned of the potential to inadvertently allow others to copy no-copy items. How long should I wait for Linden to respond this before I warn the public (if ever)?
|
Chip Midnight
ate my baby!
Join date: 1 May 2003
Posts: 10,231
|
08-18-2005 16:15
LL takes copy exploits very seriously. You need to privately supply LL with enough info that they can reproduce the exploit/bug. Don't tell anyone else or other people may figure out how it's done before LL can fix it. They don't ignore things like this.
_____________________
 My other hobby: www.live365.com/stations/chip_midnight
|
Jeffrey Gomez
Cubed™
Join date: 11 Jun 2004
Posts: 3,522
|
08-18-2005 16:19
You're not alone in this sentiment. The general concensus I have seen is that the permissions system needs to be fixed in a manner that works for everyone, as opposed to it's current form that tends to be misleading in several ways. Unfortunately, bringing the issue to the forums has historically lead to flame wars regarding theft and some pretty direct attacks (which I may be bringing upon myself for mentioning here). The best course of action at present would be to raise awareness of the issue in-world and to attempt to lobby the Lindens directly, as the forums are only frequented by a small percentage of the population. Plus, we've been told here that overhauling the permissions system is currently a low priority, whereas nagging exploits are slammed immediately. Edit: And yes, if it's a new exploit (other than the known "flaws"  , take it to them immediately and in private, as Chip has mentioned.
_____________________
---
|
Qubius Quinn
Q²
Join date: 5 Jun 2005
Posts: 8
|
Hiding the secret knowledge
08-18-2005 18:12
Thanks for the responses. I defiantly prefer to keep this quite until Linden fixes it but I'm not getting any response form them through the "Hotline to Linden" forum or my bug submission. For know I'll wait and ignore the in-game IMs I'm receiving. But if Linden is serious about fixing these then before too long I'm going to have to assume that Linden considers it a feature rather then a exploitable bug. In which case it should be documented as what not to do as it is easy to do by mistake.
|
Hank Ramos
Lifetime Scripter
Join date: 15 Nov 2003
Posts: 2,328
|
08-18-2005 18:35
Set the information free! 
|
FlipperPA Peregrine
Magically Delicious!
Join date: 14 Nov 2003
Posts: 3,703
|
08-19-2005 10:55
I'd recommend contacting Kona Linden directly. He's very friendly and loves people who can demonstrate solid repros on bugs.
-Flip
_____________________
Peregrine Salon: www.PeregrineSalon.com - my consulting company Second Blogger: www.SecondBlogger.com - free, fully integrated Second Life blogging for all avatars!
|
Ushuaia Tokugawa
Nobody of Consequence
Join date: 22 Mar 2005
Posts: 268
|
08-19-2005 11:37
I've also found that going through the prescribed channels for reporting bugs is woefully inadequate for serious issues. I second Flipper's advice to take it directly to a Linden. Brent Linden has stated in the past that you should IM him directly if the bug is serious enough. I imagine if you contact the right person, they'll take it seriously and escalate it properly. However, don't be suprised if it's the first time they've heard of the problem even after you reported it properly.
|
Qubius Quinn
Q²
Join date: 5 Jun 2005
Posts: 8
|
Be patient, it's a virtue
08-19-2005 13:12
I'd love to demonstrate this to a Linden but unfortunately I am only in SL in the evenings and the number of lindens in game are quite low at that point. I did talk to a Linden last night (sorry I forgot the name) and she said basically that just because I haven't heard anything that doesn't mean they are not working on it and if I want to follow up send an e-mail to tech support. I'm awfully surprised that they are not responding.
|
FlipperPA Peregrine
Magically Delicious!
Join date: 14 Nov 2003
Posts: 3,703
|
08-19-2005 18:34
With the amount of bug reports and abuse reports received, its simply not possible to reply to each one. In a typical week, I normally file 2 or 3 bug reports, so I can understand why.  Regards, -Flip
_____________________
Peregrine Salon: www.PeregrineSalon.com - my consulting company Second Blogger: www.SecondBlogger.com - free, fully integrated Second Life blogging for all avatars!
|
Huns Valen
Don't PM me here.
Join date: 3 May 2003
Posts: 2,749
|
08-20-2005 21:57
From: Ushuaia Tokugawa I imagine if you contact the right person, they'll take it seriously and escalate it properly. However, don't be suprised if it's the first time they've heard of the problem even after you reported it properly. A liaison failed to escalate a far more serious bug that was reported, sending an email instead of getting someone on the phone. I don't know whether that was a one-time lapse, or an unfavorable indication of LL's safety culture.
|
Brent Linden
eXtreme Bug Hunter
Join date: 16 Feb 2005
Posts: 212
|
08-21-2005 01:02
Qubius: Please contact me inworld. Just because a Linden isn't online doesn't mean they don't get their IM's  I'm all too willing to help out even on off hours. Find > People > Brent Linden. I'd like to see this in action. We are actively fixing a few other exploits that may be the same as this, however I still want to verify the bug with you, thanks! In the future please privately submit exploit bugs to a Linden who is an officer in the Bug Hunters group. That's the best way to get those *serious* bugs checked out. Brent 
_____________________
The best way to predict the future is to invent it. -Alan Kay
|
Brent Linden
eXtreme Bug Hunter
Join date: 16 Feb 2005
Posts: 212
|
08-23-2005 10:47
Here's my reply to this copy 'exploit':
I was told this isn't getting fixed 'soon', because its a big change to the way permissions are applied. The workaround is not to apply permissions via the Inventory (since next-owner permissions are applied when objects are rezzed). Or apply the permissions in your inventory, drop the object, and Take it again. We do not consider it an exploit because you (as the creator of the objects) have the ability to set them properly.
In the Debug menu, check "Debug Permissions". Then go through your repro until you rez the object. In you inventory, open the Properties of that object. Then check the N: permissions. Notice there is an asterisk '*'. That means the permissions will be set on the next rez.
I'm sorry if this explanation isn't to your liking. I was informed that this issue has been around for a while. Since it hasn't caused a public outcry, we're holding off on patching it up until we can really fix it (and permissions in general).
If you have further questions please let me know, and thanks again for trying to help us nab the bugs!
---
I'd like to add that the only 'quick-fix' I can think of for this would be to disallow setting object permissions in the Inventory's Properties floater. I think that's a bad idea, and that you all would throw various tortured torii my way for even suggesting such a thing.
So if you'll all just stand over here while I pull out this red, blinky thing...
_____________________
The best way to predict the future is to invent it. -Alan Kay
|
Merwan Marker
Booring...
Join date: 28 Jan 2004
Posts: 4,706
|
08-23-2005 10:53
From: FlipperPA Peregrine With the amount of bug reports and abuse reports received, its simply not possible to reply to each one. In a typical week, I normally file 2 or 3 bug reports, so I can understand why.  Regards, -Flip Well then stop filing 'em! Geez 
_____________________
Don't Worry, Be Happy - Meher Baba
|
Hiro Queso
503less
Join date: 23 Feb 2005
Posts: 2,753
|
08-23-2005 10:55
From: Brent Linden Here's my reply to this copy 'exploit':
I was told this isn't getting fixed 'soon', because its a big change to the way permissions are applied. The workaround is not to apply permissions via the Inventory (since next-owner permissions are applied when objects are rezzed). Or apply the permissions in your inventory, drop the object, and Take it again. We do not consider it an exploit because you (as the creator of the objects) have the ability to set them properly.
In the Debug menu, check "Debug Permissions". Then go through your repro until you rez the object. In you inventory, open the Properties of that object. Then check the N: permissions. Notice there is an asterisk '*'. That means the permissions will be set on the next rez.
I'm sorry if this explanation isn't to your liking. I was informed that this issue has been around for a while. Since it hasn't caused a public outcry, we're holding off on patching it up until we can really fix it (and permissions in general).
If you have further questions please let me know, and thanks again for trying to help us nab the bugs!
---
I'd like to add that the only 'quick-fix' I can think of for this would be to disallow setting object permissions in the Inventory's Properties floater. I think that's a bad idea, and that you all would throw various tortured torii my way for even suggesting such a thing.
So if you'll all just stand over here while I pull out this red, blinky thing... Brent, I have read through your post and found it a little confusing. Do you need to know what the 'exploit' is to be able to understand the 'fix'?
|
Brent Linden
eXtreme Bug Hunter
Join date: 16 Feb 2005
Posts: 212
|
08-23-2005 11:12
Ah, yes, sorry. Since it's not really an exploit and more an undesired/unexpected result I think full disclosure on it is a good idea!
- Create an object and set it to no-copy via the Edit floater. - Take it. - Create a cube prim (box) and drop the object into the box. - Take the box. - Right click the box in your Inventory and choose 'Properties'. - Set it to fully-permissive (modify/copy/transfer). Close the Properties floater. - Give the object to a friend. * They will notice they can rez multiple copies of the object, even though the permissions should be (no copy) on the container object. The container should inherit the permissions of the least-permissive asset within it. Technically it does, but those permissions are not applied until it is rezzed. * They will also notice that they cannot shift-drag the object in-world because the permissions are applied when the object is rezzed.
This can be a problem if you tend to set your containers fully-permissive. Solution? Don't change the permissions of containers in your Inventory.
_____________________
The best way to predict the future is to invent it. -Alan Kay
|
Kim Anubis
The Magician
Join date: 3 Jun 2004
Posts: 921
|
08-23-2005 13:43
Thanks for the explanation, Brent. This is the type of info that should be posted on bulletin boards at telehubs, for all the folks who don't frequent forums.
_____________________
http://www.TheMagicians.us 
|
Qubius Quinn
Q²
Join date: 5 Jun 2005
Posts: 8
|
Thanks Brent
08-23-2005 20:33
Thanks you Brent for looking at this. I hope that this information spreads enough so that other content creators can avoid this situation. I only found this bug because I wanted to distribute a no-copy script (door locking mechanism) that I sell inside a copyable and modifiable prims (freely available doors). Could have serious consequences if I gave out a no-copy/resell script in a copy prim.
|